Is spree_core affected by CVE-2026-22589?

RubyGems spree_core is affected in >=4.0.0 =5.0.0 =5.1.0 =5.2.0 <5.2.5.

Is CVE-2026-22589 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

high

CVE-2026-22589

Q: Is CVE-2026-22589 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

RubyGems · spree_core

Summary

Spree API has Unauthenticated IDOR - Guest Address

Severity: high
EPSS: 0.4% (p30)
Also known as: GHSA-3ghg-3787-w2xr
Published: 2026-01-08

References

https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr
https://nvd.nist.gov/vuln/detail/CVE-2026-22589
https://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.